Dropbox Lied to Users About Data Security, Complaint to FTC Alleges

Dropbox, the wildly popular online storage system, deceived users about the security and encryption of its services, putting it at a competitive advantage, according to an FTC complaint filed Thursday by a prominent security researcher.

The FTC complaint charges Dropbox (.pdf) with telling users that their files were totally encrypted and even Dropbox employees could not see the contents of the file. Ph.D. student Christopher Soghoian published data last month showing that Dropbox could indeed see the contents of files, putting users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits.

Soghoian, who spent a year working at the FTC, charges that Dropbox “has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts therir data,” which amounts to a deceptive trade practice that can be investigated by the FTC.

Dropbox dismissed Soghoian’s allegations.

“We believe this complaint is without merit, and raises old issues that were addressed in our blog post on April 21, 2011,” company spokeswoman Julie Supan said in a short e-mail to Wired.com. “Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private.”

Dropbox saves storage space by analyzing users’ files before they are uploaded, using what’s known as a hash — which is basically a short signature of the file based on its contents. If another Dropbox user has already stored that file, Dropbox doesn’t actually upload the file, and simply “adds” the file to the user’s Dropbox.

The keys used to encrypt and decrypt files also are in the hands of Dropbox, not stored on each user’s machines.

Those architecture choices mean that Dropbox employees can see the contents of a user’s storage, and can turn over the nonencrypted files to the government or outside organizations when presented with a subpoena.

Dropbox’s Supan says the company has never said otherwise:

In our help article we stated “Dropbox employees aren’t able to access user files.” That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn’t say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this. Also, to clarify we’ve never stated we don’t have access to encryption keys. We’ve made quite a few posts in our public forums over the years about this very fact and we are quite open with our community: 1, 2, 3.

But Dropbox promised otherwise, the complaint alleges.

Up until April 13, the site promised this:

Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents).

Now the site says:

Dropbox employees are prohibited from viewing the content of files you store in your Dropboxaccount, and are only permitted to view file metadata (e.g., file names and locations).

The company also added this text:

Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

The complaint alleges that at least two of Dropbox’s competitors, SpiderOak and Wuala, make security promises similiar to those of Dropbox, but actually can’t get at the data because they don’t hold the encryption keys. That means those services have to spend more on storage, because they can’t detect duplicate files stored by different users. That, according to the complaint, lets Dropbox promise total security without paying the costs, while putting its competitors at a disadvantage. (SpiderOak does do de-duping within each user’s account to save user’s space, the company says)

Dropbox’s security statements were confusing to users — including to computer security experts, the complaint alleges.

Soghoian cites as evidence comments on Dropbox’s own blog and a Tweet from Jon Callas, who spent years as chief technology officer of PGP Corporation, one of most respected provider of encryption products. Callas now works for Apple, focusing on security.

Callas tweeted on April 19: “I deleted my Dropbox account. It turns out that they lied and don’t actually encrypt your files and will hand them over to anyone who asks.” (Technically, Callas is incorrect because the files are encrypted, just not encrypted on the users’ devices.)

The complaint additionally alleges that Dropbox misleads users of its mobile app, by claiming that its product uses an encrypted HTTPS connection to communicate between a user’s device and Dropbox’s servers. In fact, the mobile device does not encrypt all the traffic.

Soghoian is asking the FTC to force Dropbox to clarify its website further, to contact all its users to tell them Dropbox can see their data in the clear, offer refunds to “Pro” users and prohibit the company from making deceptive claims in the future.

Update: This story was updated at 3:25 PDT to include comment from Dropbox, which did not respond by initial publication time.

Update 2: This story was updated at 6:15 PDT to include additional comment from Dropbox about its statements to users about employee access to data.

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.